This is a security release of the Fall 2007 snapshot release of MediaWiki. Possible cross-site information leaks using the callback parameter for JSON-formatted results in the API are prevented by dropping user credentials.

MediaWiki release versions prior to 1.11 are not vulnerable, as they do not include the callback feature which allows client-side JavaScript on other sites to reach API data.

MediaWiki is now using a "continuous integration" development model with quarterly snapshot releases. The latest development code is always kept "ready to run", and in fact runs our own sites on Wikipedia.

Release branches will continue to receive security updates for about a year from first release, but nonessential bugfixes and feature developments will be made on the development trunk and appear in the next quarterly release.

Those wishing to use the latest code instead of a branch release can obtain it from source control: Download from SVN

A possible HTML/XSS injection vector in the API pretty-printing mode has been found and fixed.

The vulnerability may be worked around in an unfixed version by simply disabling the API interface if it is not in use, by adding this to LocalSettings.php:$wgEnableAPI = false;
(This is the default setting in 1.8.x.)

Introducing new image keyword 'upright' and corresponding variable $wgThumbUpright. This allows better proportional view of upright images related to landscape images on a page without nailing the width of upright images to a fix value which makes views for anon unproportional and user preferences useless

Throw a showstopper exception when a hook function fails to return a value. Forgetting to give a 'true' return value is a very common error which tends to cause hard-to-track-down interactions between extensions.

Use $wgJobClasses to determine the correct Job to instantiate for a particular queued task; allows extensions to introduce custom jobs

(bug 10326) AJAX-based page watching and unwatching has been cleaned up and enabled by default.

New Parser::setTransparentTagHook for parser extension and template compatibility

Introduced 'ContributionsToolLinks' hook; see docs/hooks.txt for more information

Add a message if category is empty

Add CSS compatibility for Opera 9.5

Remove largely untested handheld stylesheet, which was causing more trouble than good. Proper handheld support will be added at a future date. For now, display should be acceptable either with CSS turned off or when using a sophisticated handheld browser.

(bug 3173) Option to offer exported pages as a download, rather than displaying inline, as in most browsers

Pass the user as an argument to 'isValidPassword' hook callbacks; see docs/hooks.txt for more information

Introduce 'UserGetRights' hook; see docs/hooks.txt for more information

(bug 9595) Pass new Revision to the 'ArticleInsertComplete' and 'ArticleSaveComplete' hooks; see docs/hooks.txt for more information

(bug 1438) Fix for diff table layout on very wide lines. Diff style rules have been broken out to common/diff.css, and the dupes removed from the default skin files. Skins can still override the default rules.

(bug 8577) Fix some weird misapplications of time zones. {{CURRENT*}} functions now consistently use UTC as intended, while {{LOCAL*}} functions return local time per server config or $wgLocaltimezone. Signature dates for Japanese and other languages including weekday now show the correct day to match the rest of the time in local time.

Escape the output of magic variables that return page name or part of it

(bug 10309) Initialise parser state properly in extractSections(), fixes some cases where section edits broke because tags were improperly stripped

Use native XMLHttpRequest class in preference to ActiveX on IE 7; this avoids the "ActiveX "Do you want to allow ActiveX?" prompt when something security settings are cranked this way and AJAX-y gets used.

Delay AJAX watch initialization until click so IE 6 with ugly security settings doesn't prompt you until you use the link.

(bug 10401) Provide non-redirecting link to original title in Special:Movepage

Fix broken handling of log views for page titles consisting of one or more zeros, e.g. "0", "00" etc.

1.11 has several database changes since 1.10, and will not work without schema updates.

If upgrading from before 1.7, you may want to run refreshLinks.php to ensure new database fields are filled with data.

If you are upgrading from MediaWiki 1.4.x or earlier, some major database changes are made, and there is a slightly higher chance that things could break. Don't forget to always back up your database before upgrading!

Some output, particularly involving user-supplied inline HTML, may not produce 100% valid or well-formed XHTML output. Testers are welcome to set $wgMimeType = "application/xhtml+xml"; to test for remaining problem cases, but this is not recommended on live sites. (This must be set for MathML to display properly in Mozilla.)